Global Risk Management Survey Edward Hida Partner Global Risk & Capital Management Leader Deloitte US We are pleased to share with you a selection of key insights explored in Deloitte s Global Risk Management Survey, 10 th edition. In this feature, we focus on the evolution of risk management, the role of the CRO, and board risk committees for discussion. Help us choose our Top 10 Topics for 2018 www.deloitte.com/lu/insiderisk2018k Printed with permission of Deloitte US
T crisis have seen a wave of regulatory change that increased both the scope and the stringency of regulatory have now had more time to understand the practical implications of these new regulations and what is required to comply. Today, risk management is becoming confront a variety of trends that have introduced greater uncertainty than before as regards the future direction of the business and regulatory environment. Economic conditions in many countries continue to be weak, with historically low interest rates. The continual increase in regulatory requirements may abate or even be reversed in the near term as President Trump, the US Congress, and others have questioned whether regulatory oversight has gone too far. Strategic risk is increasing as entrepreneurial FinTech players are sectors. The rapidly changing environment suggests that risk management programs may need to increase their ability to regulatory and business developments and to emerging risks, for example, by employing predictive analytics tools. Deloitte s Global Risk Management Survey assesses the industry s risk management practices and the challenges it faces in this turbulent period. The 10 th survey was conducted in the second half of 2016 after the Brexit vote in the United Kingdom but before the US presidential election services institutions around the world that sections and have aggregate assets of US$13.6 trillion. The evolution of Risk Management Over the 20 years that Deloitte has been conducting its global risk management industry has become more complex, with the introduction of new products and services. At the same time, regulatory requirements and expectations for risk management have broadened to cover a wider range of issues and also become more stringent, especially in Deloitte s survey series has assessed how institutions have responded to these developments, the substantial progress that has occurred in the maturity of risk management programs, and their challenges. In general, over this period, risk management programs have become almost universally adopted, and now programs have expanded capabilities. Boards of directors are more involved in risk management and more institutions employ someone in a senior-level CRO position. The following are some of the key areas where the survey series has documented increasing maturity in risk management programs. More active board oversight In 2016, 93 percent of respondents said their board of directors reviews and approves the overall risk management policy or ERM framework, an increase from 81 percent in 2012. More use of board risk committees It is a regulatory expectation that boards of directors establish a risk committee with primary responsibility for risk oversight. The use of a board risk committee has become more widespread, although there is clearly room for further adoption (Figure 1). Figure 1: Percentage of institutions risk management at the level of the board of directors with a board risk committee 2012 2014 2016 Source: GMRS survey 10 th edition 43% 51% 63% The rapidly changing environment suggests that risk management programs may need to increase their ability to anticipate and regulatory and business developments and to emerging risks, for example, by employing predictive analytics tools.
Over the years, there has been a continual increase in the percentage of institutions with a CRO position or equivalent. As of 2016, the position has become almost universal (Figure 2). At the same time, the CRO is now a more senior-level position reporting to higher levels of the organization. Similarly, the CRO more often directly reports to the board of directors at 52 percent of institutions in 2016, up from 32 percent in 2002. Furthermore, 77 percent of institutions reported that the CRO is a member of the executive management committee, an increase from 58 percent in 2010. Wider set of responsibilities Over time, the CRO and the independent risk management program have been given a wider set of responsibilities at many institutions. For example, in 2016, 92 percent of respondents said that one of the responsibilities of the CRO was to assist in developing and documenting the enterprise-level risk appetite statement, compared with 72 percent in 2008. Similarly, 76 percent said that the CRO was responsible for assessing capital adequacy, while this was the case at 54 percent of the institutions in 2006. Widespread adoption of an ERM program The adoption of ERM programs has more than doubled, from 35 percent in 2006 to 73 percent in 2016 (Figure 3). The implementation of ERM programs moved upward in 2010, which was likely in on enhancing risk management. While there has been considerable progress in the continued development and maturation of risk management programs, there remains considerable work to do. Figure 2: Percentage of institutions 2002 2004 2006 2008 65% 81% 84% 73% Figure 3: Percentage of institutions with an ERM program in place 2006 2008 35% 36% The survey found that the trend toward independent directors on board risk committees has become pronounced. 2010 86% 2010 52% 2012 89% 2012 62% 2014 92% 2014 69% 2016 92% 2016 73% Source: GMRS survey 10 th edition
Board Risk Committees Placing oversight responsibility for risk management with a board risk committee is a general regulatory expectation and has come to be seen as a leading practice. The Basel Committee issued guidance in 2010 that stressed the importance of a board-level risk committee, especially for large banks and internationally active banks, and revised guidance in 2015 specifying the appropriate role of the risk committee.1 Similarly, the enhanced prudential standards (EPS) issued by the Federal Reserve establish certain requirements for US banks to have a risk committee of the board of directors, with some requirements phased in based on the size of the institution. Sixty-three percent of institutions reported that they have a risk committee of the board of directors with primary responsibility for risk oversight, up from 51 percent in 2014. As a result of the ascendance of the board risk committee, only 16 percent said the full board has primary responsibility, down from 23 percent in the prior survey. Placing primary responsibility in a board risk committee is much more common in the United States and Canada (89 percent) than in Europe (65 percent), (63 percent). This may be a response to the requirements of the Federal Comptroller of the Currency's (OCC) heightened standards regarding board risk committees. A prominent role for board risk committees is more common at banks (74 percent compared to 56 percent in 2014), although it also rose at investment 44 percent) and insurers (61 percent up from 49 percent). As noted, there has been a trend for institutions include independent directors on their board risk committees. The Federal Reserve s EPS requires that the risk committee include at least one independent director, while the US OCC regulations increased the required number to two independent directors. The survey found that the trend toward independent directors on board risk committees has become pronounced. that their board risk committee includes two or more independent directors (as well as other directors), while 36 percent said it is composed entirely of independent directors (Figure 4). Composed entirely of independent directors 36% 45% 5% 13% Note: Percentages may not total due to rounding Source: GMRS survey 10th edition Contains two or more independent directors (as well as other directors) Contains one independent director Does not contain any independent directors 1. Basel Committee on Banking Supervision, Principles for enhancing corporate governance, October 2010, http:// www.bis.org/
Having the risk committee chaired by an independent director and having the participation of a risk management expert are becoming regulatory expectations for larger institutions. Many institutions independent directors as members of their risk committee, or even for their risk committee to be chaired by an independent director, than to secure management expert. Seventy-two percent of institutions reported that their board risk committee is chaired by an independent director, while 67 percent have a risk management expert on their committee. expert is most common in the United States and Canada (78 percent), Asia (86 percent), whereas it is less common in Europe (52 percent). One reason for the lower prevalence in Europe is that European regulations contain a more general requirement that risk committee members...shall have appropriate knowledge, skills, and expertise to fully understand and monitor the risk strategy and the risk appetite of the institution. 2 Having an independent risk management function headed by a CRO is a regulatory expectation. The Basel Committee guidance on governance recommends that large banks and internationally active banks have a risk management function authority, stature, independence, resources, and access to the board. 3 2. and of the Council, Article 76, 26 June 2013, http://eur-lex.europa.eu/lexuriserv/lexuriserv. do?uri=oj:l:2013:176:0338:0436:en: PDF. 3. Basel Committee on Banking Supervision, Principles for enhancing corporate governance. Adoption of a CRO position is almost universal, with 92 percent of institutions reporting that they have a CRO or equivalent position. The CRO position is more common at institutions in the United States/Canada (89 percent) and Europe (92 Latin America (63 percent).
regulatory expectation, for the CRO to report directly to the board of directors as well as to the CEO, but this is not the case at many institutions. The CRO reports to the board of directors at 52 percent of the institutions surveyed, up slightly from 48 percent in 2014. Further, the CRO reports to the CEO at 75 percent of institutions, meaning that at one quarter of the institutions the CRO does not report to the most senior management executive in the organization. It appears that many institutions have more work to do to improve the reporting structure for their CRO. it is easier to have independent directors as members of their risk committee, or even for their risk committee to be chaired by an independent director, than to secure management expert. At 90 percent of surveyed institutions, the CRO regularly meets with the board of directors or board committees responsible for risk management, although fewer (53 percent) reported that their CRO meets in executive sessions with the board. with the board of directors or the board risk committee without the CEO or other members of senior management present can provide the board with an opportunity to receive a frank assessment of the state of the risk management program and the It is a leading practice for the CRO to be the most senior management position responsible for the risk management program, but the CRO does not universally have this role. Only 48 percent of institutions reported that the CRO or equivalent is the highest level of management responsible for the risk management program, similar to the percentage in 2014. Other common responses were the CEO (27 percent), the executive-level risk committee (16 percent), or the CFO (4 percent). Assigning primary responsibility for risk management to the CRO is more common among institutions in the United States and Canada (78 percent) percent), or Latin America (25 percent). Institutions assign a broad range independent risk management group headed by the CRO. Many oversight activities were nearly universal, including developing and implementing the risk management framework, methodologies, standards, policies, and limits (94 percent), identifying new and emerging risks (94 percent), and developing risk information reporting mechanisms (94 percent). However, a number of other important oversight activities are in place at no more than two-thirds of institutions, including providing input on business strategy development and the periodic assessment of the plan (65 percent) and participating in day-to-day business decisions that management considerations need to be infused into both strategy and business decisions so that risk implications can be assessed, and more progress still needs to be made in these areas. Another area that a relatively low percentage of respondents said was a responsibility of the risk management program was approving new business or products (58 percent). This may be partly explained by the fact that relatively few new products are being introduced in the current economic and regulatory environment. Finally, regulators and industry leaders have devoted considerable attention to the role that incentive compensation and culture play in risk management, yet the activity of reviewing the compensation plan to assess its impact on the risk a responsibility by just 54 percent of respondents. This was more often a risk management responsibility at institutions in the United States and Canada (75 percent) and Europe (62 percent) than in (43 percent). Conclusion With the future direction of risk management more uncertain than it has been for years, perhaps the most important lesson is that many risk management programs should become nimbler. In the coming years, risk management programs should focus not only on being on acquiring the agility to respond risk management.